Western Nevada College (WNC) developed and implemented this Identity Theft Prevention Program pursuant to the Federal Trade Commission's Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. In recognition that some activities of WNC are subject to the provisions of this Rule as promulgated by the Commission, the college adopted the following policy. This policy complements, and is supported by existing department data security policies at the college.

Section 1: PurposeAs required, WNC establishes an "Identity Theft Program" to detect, identify, and mitigate identity theft in the accounts covered under the Red Flag rules at the college.

A. The college will incorporate relevant Red Flags into a policy to enable the college to detect and respond to potential identity theft.

B. The college shall ensure that the policy is updated periodically to reflect changes in risks to customers or creditors or to the college from identity theft.

Section 2: DefinitionsPursuant to the Red Flag regulations at 16 C.F.R. § 681.2, the following definitions apply to this policy:

A. "Identity theft" is a "fraud committed or attempted using the identifying information of another person without authority."

B. "Covered accounts"

1. Any University account maintained primarily for a student or related to a loan administered by the University, which involves multiple payments or transactions.

2. Any University account for which there is a reasonably foreseeable risk from identify theft to customers.

C. "Red Flag" is a "pattern, practice, or specific activity that indicates the possible existence of identity theft."

D. "Identifying information": Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including, but not limited to: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number government passport number, employer or taxpayer identification number, unique electronic identification number (including student ID), computer Internet Protocol addresses or routing codes.

E. Identification of a "Responsible University Official"

1. The President designates the vice president of finance and administrative services as the Policy Administrator.

2. The Policy Administrator shall exercise appropriate and effective oversight of the policy and shall report regularly to the President on the status of the policy.

c. Verify changes in banking information given for billing and payment purposes.

Section 6: Responding to Red Flags and Mitigating Identity Theft

A. In the event college personnel detect identified Red Flags, such personnel shall take all appropriate steps to respond and to mitigate identity theft depending on the nature and degree of risk posed by the Red Flag, including but not limited to the following examples:

1. Continue to monitor an account for evidence of Identity theft;

2. Contact the individual;

3. Change any passwords or other security devices that permit access to accounts;

4. Not open a new account;

5. Close an existing account;

6. Reopen an account with a new number;

7. Notify public safety and/or law enforcement; or

8. Determine that no response is warranted under the particular circumstances.

Section 7: Staff Training and Reporting

A. College employees responsible for implementing the Policy shall be trained in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.

B. Appropriate staff shall provide reports to the Policy Administrator on incidents of identity theft, the effectiveness of the Policy, and the college's compliance with the Policy.

Section 8: Service Provider Arrangements

A. When the college engages a service provider to perform an activity in connection with one or more covered accounts, the college will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:

1. Require, by contract, that service providers have such policies and procedures in place; and

2. Require, by contract, that any service providers review the college's Policy and report any Red Flags to the Policy Administrator.